Abstract
We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of \(\sim \)17M login attempts originating from 112 different countries and over 6 K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We used the http://ipinfo.io IP geolocation database [12] to obtain geographic location and Autonomous System (AS) information of these IP addresses.
- 2.
Although a logged IP address may not necessarily belong to a user with deliberate malicious intent (e.g., it could be remotely exploited by a malicious third party) we refer to the IP as such for simplicity.
- 3.
Attackers may guess only lowercase passwords more frequently in expectation that system administrators pick these types of passwords more often.
- 4.
In Fig. 8, we show a similar heatmap for overlap between the largest 1000 per-IP dictionaries (i.e., passwords seen used by each IP).
- 5.
We believe it is unlikely that all such highly overlapping dictionaries belong to a single attacker since many of their bruteforcing behaviors were different, e.g., timing dynamics, rate of attempts, etc. Even dictionary pairs with extreme overlap had different guessing order.
- 6.
Attackers may be unwilling to change the password or patch the vulnerability used to compromise to avoid detection by the legitimate user of that system.
References
Internet Storm Center - SSH Scanning Activity. https://isc.sans.org/ssh.html, September 13 (2015)
Nagios. https://www.nagios.org, September 13 (2015)
Country IP Blocks - Allocation of IP addresses by Country. www.countryipblocks.net/allocation-of-ip-addresses-by-country.php, September 13 2015
Alsaleh, M., Mannan, M., van Oorschot, P.C.: Revisiting defenses against large-scale online password guessing attacks. IEEE Trans. Dependable, Secure Comput. (TDSC) 9(1), 128–141 (2012)
Bergadano, F., Crispo, B., Ruffo, G.: High dictionary compression for proactive password checking. ACM Trans. Inf. Syst. Secur. (TISSEC) 1(1), 3–25 (1998)
Bonneau, J., The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In: IEEE Symposium on Security and Privacy (2012)
Chiasson, S., van Oorschot, P.C.: Quantifying the security advantage of password. Des. Codes Crypt. 77, 1–8 (2015)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: Fast Internet-wide scanning and its security applications. In: USENIX Security, August 2013
Florencio, D., Herley, C., Coskun, B.: Accomplish, do strong web passwords anything? In: USENIX HotSec, pp. 10:1–10:6 (2007)
Florencio, D., Herley, C., van Oorschot, P.C.: An administrators guide to internet password research. In: USENIX LISA (2014)
Hofstede, R., Hendriks, L., Sperotto, A., Pras, A.: SSH compromise detection using NetFlow/IPFIX. ACM SIGCOMM CCR 44(5), 20–26 (2014)
IPinfo. IP Address Details - ipinfo.io. http://ipinfo.io, September 13 (2015)
Javed, M., Paxson, V.: Detecting stealthy, distributed SSH brute-forcing. In: ACM CCS (2013)
Owens, J., Matthews, J.: A study of passwords and methods used in brute-force SSH attacks. In: USENIX LEET (2008)
Satoh, A., Nakamura, Y., Ikenaga, T.: Identifying user authentication methods on connections for SSH dictionary attack detection. In: IEEE Annual Computer Software and Applications Conference Workshops (COMPSACW) (2013)
Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden markov model modeling of SSH brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009)
Thames, J.L., Abler, R., Keeling, D.: A distributed active response architecture for preventing SSH dictionary attacks. In: IEEE Southeastcon, pp. 84–89 (2008)
Ylonen, T.: SSH - Secure login connections over the internet. In: USENIX Security (1996)
Acknowledgements
We thank Hala Assal, Elizabeth Stobert, Mohamed Aslan, Raphael Reischuk, and the anonymous referees for insightful comments which have improved this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A SSH Servers on Non-standard Ports
A commonly suggested strategy to reduce the chances of guessing attacks succeeding is to change the default listening port (TCP 22) to a non-standard port. Using a port other than the default requires client-side changes, so easy to remember ports (such as 2222 or 2022) are sometimes suggested by administrators and users [14]. To investigate the validity of this suggestion, we created a network daemon that accepts incoming connections on all TCP ports (except port 22). When a new connection is received, the daemon looks for an initial SSH handshake and immediately closes the connection. We recorded the source IP, port number, and timestamp of all incoming SSH protocol connections. We ran this daemon on a separate VM over a 12 day period, and recorded 30,169 incoming connections to 522 distinct ports, out of which 77 were SSH connection. These incoming connections originated from 9 distinct source IP addresses. The full list of ports which received SSH connections are listed in Table 5. Notice that all incoming SSH connections have the digit 2 in the port number, many with two or more occurrences. Also of interest is that none of the 9 sources was seen making connections in the long-term or short-term study, hinting at the possibility that attackers dedicate some bots to non-standard scans/attacks. Despite the short duration of this study above (port numbers), the results show that attackers do not simply ignore non-standard ports. With availability of modern (and extremely fast) network scanning tools [8], attackers can quickly scan all open ports on sets of systems typically identified by an IPv4 address. Thus, moving an SSH daemon to a port other than 22 may not provide a comprehensive solution.
Appendix B Top Usernames and Passwords (Non-root)
Table 6 shows the top ten usernames and passwords, including the top ten passwords that did not appear in the RockYou dataset (RockYou’s top ten are also included for reference). From the second column, we notice that the top ten passwords in our set are likely relevant to conventions among system administrators, due to the nature of SSH. The most common attempted password, toor, is the mirror of root. Nagios [2] is an open-source monitoring software.
For reference, in Table 7 we list the most frequent username-password combinations in our set. Note that most of these combinations follow the “username as password” strategy described in Sect. 6.
Overlap between per-IP dictionaries. This figure plots overlap between the 1000 largest per-IP dictionaries. Dictionaries are sorted by IP address. The histogram below the heatmap shows the number of passwords in the per-IP dictionary for the IP immediately above.
Appendix C Overlap of Per-IP Dictionaries
Figure 8 shows percentage overlap between per-IP dictionaries. For this graph, the per-IP dictionary contains the set of all passwords tried by that IP address during the full collection period. We sort the IP addresses numerically on the x and y axes, which allows us to identify large contiguous IP space exhibiting similar behaviour. For example, the subnet 103.41.124.0/24 contains many hosts with similarly sized dictionaries that have very little overlap (white vertical banding) with other dictionaries in the set.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Abdou, A., Barrera, D., van Oorschot, P.C. (2016). What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-29938-9_6
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29937-2
Online ISBN: 978-3-319-29938-9
eBook Packages: Computer ScienceComputer Science (R0)